‪#‎Facebook‬ Hacking

 

‪#‎Facebook‬ Hacking :Using Android 'Same Origin Policy' Vulnerability (‪#‎isoeh‬) still unpatched! Default web browser users of Android OS (lower to 4.4) are vulnerable to attack running on a large number of Android devices that allows an attacker to bypass the Same Origin Policy (SOP). The Android Same Origin Policy (SOP) vulnerability (CVE-2014-6041) allows one website to steal data from another. Facebook users can be easily targeted by cyber attacks to exploit this flaw in the web browser because the Metasploit exploit code is publicly available! What is the SOP? Built to to protect users’ browsing experience. It is designed to prevent pages from loading code that is not part of their own resource, ensuring that no third-party can inject code without the authorization of the owner of the website. Drawback: SOP has been the victim of ‪#‎Cross‬-Site scripting vulnerability in older versions of Android smartphones that helps attackers to serve the victims a malicious JavaScript file stored in a cloud storage account. Attack vector: ->The crafted page contains obfuscated ‪#‎JavaScript‬ code, which includes an attempt to load a Facebook URL in an inner frame. ->User sees only a blank page as the page’s ‪#‎HTML‬ has been set not to display anything via its div tag ->Inner frame has a size of one pixel! JavaScript code could allow an attacker to perform various tasks on the victim’s Facebook account, on behalf of the legitimate account holder. Post hacking the account, attacker can: ~ Adding Friends ~ Like and Follow any Facebook page ~ Modify Subscriptions ~ Authorize Facebook apps to access the user’s public profile, friends list, birthday information, likes. ~ To steal the victim’s access ‪#‎tokens‬ and upload them to their server. ~ Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service. What's more bad! The SOP vulnerability resides in the browser of the Android devices, which can't be uninstalled because it's usually part of the operating system in-build feature. Just Disable the ‪#‎BROWSER‬ from your Android devices by going to Settings > Apps > All and looking for its icon. By opening it, you’ll find a DISABLE button, Select it and disable the Browser

.